Analysis on Java Web Start Argument Injection Exploit

The recent discovery of Java Web Start Argument Injection vulnerability (CVE-2010-0886 and CVE-2010-0887) has opened a new opportunity for the bad guy to utilize it in drive-by download attack.

Here is a short write up on the example (in the wild) found early today, which exploiting this vulnerability.

The exploit was found on http://buckomre.com/ and here are the sequence of attack once opened on a vulnerable machine:

  1. http://buckomre.com/ <- The main exploit page
  2. http://buckomre.com/50035/44680 <- A PDF exploit (but we are not going to discuss about it in this entry)
  3. http://buckomre.com/50035/value3.php <- Here is where the Java vulnerability is triggered
  4. http://buckomre.com/50035/C0.php <- The JAR file that will be executed by the previous page
  5. http://buckomre.com/50035/54098876 <- The actual malware that will be downloaded and execute by the JAR

You can get more details from the Wepawet analysis result.

The 4th link from the list above will lead you to a JAR file called t4.jar. JAR file? A Java malware? It is not really a java malware. The t4.jar will later download a binary (MD5: 5493bb325f4b3a1cc6efab226d1c4600 ) , which is the real malware, and execute it.

Lets see the snip code of the JAR file once decompiled :

And finally lets see the result of Anubis analysis on the binary downloaded.

Oracle has released a security update for this issue on April 15, 2010. Users are highly encouraged to download the most recent release of Java SE to address these vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *